Yesterday, Apple CEO Tim Cook addressed the International Conference of Data Protection and Privacy Commissioners in Brussels. Mr. Cook voiced his support for sweeping data privacy legislation like the European Union’s General Data Protection Regulation (“GDPR”), which became effective in May 2018. Organizations that do not comply with the GDPR could face heavy fines.
According to E.U. officials, the GDPR “reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses.” The GDPR requires organizations to “ensure that they have watertight consent management processes in place,” and that marketing officers employ “effective data rights management systems.” See https://eugdpr.org/. The GDPR applies to “personal data,” meaning “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” In other words, this broad definition “provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.” Id.
According to Mr. Cook, the United States should pass similar protections intended to give consumers more control over their personal information. "These scraps of data,” Cook argued, “each one harmless enough on its own…are carefully assembled, synthesized, traded, and sold." Mr. Cook proposed that the United States implement a "comprehensive federal privacy law" with four essential rights:
"First, the right to have personal data minimized. Companies should challenge themselves to de-identify customer data – or not to collect it in the first place.
Second, the right to knowledge. Users should always know what data is being collected and what it is being collected for.
Third, the right to access. Companies should recognize that data belongs to users, and we should all make it easy for users to get a copy of, correct, and delete their personal data.
And fourth, the right to security. Security is foundational to trust and all other privacy rights."
Companies large and small should take a moment to read the writing on the wall. Data privacy and cybersecurity are no longer niche business or side considerations. One misstep with respect to customer information or network security could ignite minefields of hidden—and not-so-hidden—calamities. If you are a businessperson reading this alert, please take a moment to ask yourself three simple questions:
- Am I confident that our customer data is safe?
- Am I confident that our company networks are safe?
- Am I confident that our employees have up-to-date knowledge about what to do in the event of a breach?
If your answer to any or all of these questions is “no” or “not sure,” please remember that you are not alone. What you do next, though, may set you apart from your competitors -- or may save your business.